Penetration (Pen) Testing for SMBs

Posted by flashpoint on Jan 22, 2019 2:11:40 AM

Security jargon can be very confusing. Scanning, Pen Tests, Red Team Exercises and now Purple Teaming. It is easy to understand why companies under- or over- spend or simply choose not to test their systems. What’s the difference and which is right for your business?

What is a Pen Test?

A Pen Test is an Authorized simulated attack on your company’s systems designed to uncover exploitable vulnerabilities.

3 Pen Testing Approaches for SMBs

Choosing not to test cyber-defenses is turning out to be risky and expensive for businesses. Some of the worst breaches could have been prevented by some simple security testing. Alternatively, if there is an incident, not having a testing program in place makes the damage worse.

Until recently, robust security testing was out of reach for most SMBs. Outside of Financial Services and Healthcare, there were few options for SMBs that were cost effective and simple enough for the SMB.

A “check the box” pen test where a security team rips apart an IT team and hands them a big annual security report was all most organizations could do – if you could afford it. Today, with a wider array of security providers and platforms, some new approaches are available for SMBs.

Automated Pen Testing

Automated pen testing mocks up common attacks against your systems and data to uncover known vulnerabilities, flaws, default passwords or improper configurations.

Building on your automated vulnerability scan and enumeration results, automated pen testing tools probe your networks, servers and apps to uncover where an attacker might gain a foothold. Weak passwords? Improperly configured admin accounts? Automated penetration testing is a good way to uncover the common mistakes from which all organizations suffer.

There are some low cost automated solutions that can help SMB IT teams handle the most obvious vulnerabilities.

In Depth Pen Testing / Red Team Exercises

Red Team / Blue Team exercises get their name from the military. One group of security professionals, the Red Team, attacks a target, while a team of defenders, the Blue Team, protects the target from the attackers. Often called "Capture the flag" games, red team exercises provide a real-world look at your cyber-defenses against a skilled adversary.

Red team exercises are generally conducted within a set rules of engagement and provide a focused look at how an attacker will breach your defenses. Red team exercises are generally time boxed with clear goals and objectives and little communication between the teams.

Red Team exercises are more expensive and time consuming but can still be of value for SMBs. Done correctly in the context of a larger security program, Red team exercises can add value without breaking the budget.

Purple Teaming

Purple Teaming refers to an overall approach to security where the Red Team works with the Blue Team to run multiple scenarios and reduce risk. The security industry is shifting to reducing the time gap between detection of a risk and implementation of protective measures. Purple teaming is a rapid-iterative approach that integrates IT, Security and 3rd party testers that has proven effective.

“It is exponentially harder for us, as attackers, to get into companies that do purple teaming.” – Dave Kennedy[1]

Often in SMBs the red team is a 3rd party Security firm or consultant. The blue team is often the internal IT team. When the two teams work together protections can be implemented faster and with more precision.

Purple teaming may prove to be the most cost effective way to approach security for SMBs. A 3rd party security team working with an internal IT team is becoming a common model for SMBs. IT teams are often smaller with fewer resources, so the addition of an ongoing collaboration with a security team can prove to reduce risk quickly and keep it low.

Whatever approach the SMB chooses, doing nothing is not an option any more. With our reliance on technology and the increasing consequences of a breach, pen testing should be part of every SMBs plan.


[1] https://searchsecurity.techtarget.com/opinion/White-hat-Dave-Kennedy-on-purple-teaming-penetration-testing?src=5852413&asrc=EM_ERU_106541476&utm_content=eru-rd2-rcpC&utm_medium=EM&utm_source=ERU&utm_campaign=20190117_ERU%20Transmission%20for%2001/17/2019%20(UserUniverse:%20477460)

Topics: purple teaming, blue team, corporate cybersecurity, Cybersecurity & board of directors, Latest Publications, pen test, red team